Corrective Action Plans

Finding 2022-017 U.S. Department of Health and Human Services AL No. 93.767 Children?s Health Insurance Program (CHIP) Significant Deficiency Over Reporting Repeat Finding: No Auditee?s Corrective Action Plan: BCHD will continue to work with the City's Finance department to ensure what is recorded on the general ledger reconciles to what is reported in the Form 440. The implementation of Workday Finance module should alleviate these findings. Contact Person: Chief Financial Officer ? Unyime Ekpa Completion Date: December 2023

Finding 2022-016 U.S. Department of Health and Human Services AL No. 93.767 Children?s Health Insurance Program (CHIP) Material Weakness Over Compliance and Internal Control over Period of Performance Repeat Finding: Yes Auditee?s Corrective Action Plan: BCHD will implement controls to allow only costs within the period of performance to be charged to a grant. BCHD will ensure that if there are any exceptions that allow for costs to be charged outside the period of performance, the proper supporting documents will be kept. Baltimore City's new financial system, Workday, allows for all supporting documentation to be kept electronically in one system. Policies and procedures for internal controls will be updated to incorporate processes in Workday and the accounting staff will be trained appropriately. Contact Person: Chief Financial Officer ? Unyime Ekpa Completion Date: December 2023

CORRECTIVE ACTION PLAN FOR THE YEAR ENDED DECEMBER 31, 2022 Title 2, U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), Subpart F, Section 511 ? Audit Findings Follow-up requires the auditee to prepare a corrective action plan to address each audit finding included in the current year auditor?s reports. The Corrective Action Plan for Current Year Findings present our corrective action plan for the Financial Statement and/or Federal Award Findings described in the accompanying Schedule of Findings and Questioned Costs for the period ended December 31, 2022. Finding 2022-001 Responsible Party Name: Fred Gibbs Position: President ? Management Agent Telephone Number: 913-709-1811 Federal Agency U.S. Department of Housing and Urban Development Federal Program Mortgage Insurance for Purchase or Refinancing of Existing Multifamily Rental Housing (Section 207/223(F)) Compliance Requirements N ? Special Tests and Provisions Finding Type Financial Statement and Federal Awards Auditee?s Comment on Finding We agree with the auditor?s finding. Corrective Action We will follow our policies and procedures to ensure that our accounting records are kept accurate and complete, and a responsible official will review and sign off on the monthly financial statements. Anticipated Completion Date June 30, 2023

Finding 2022-005 Programs: All Material Weakness over Information Technology Security Repeat Finding: Yes Auditee?s Corrective Action Plan: We concur with the findings. The Baltimore City Office of Information & Technology (BCIT) has made significant progress in resolving this finding. Specific improvements are below: Vulnerability Management Status: ? BCIT continues to make progress on addressing the backlog of vulnerabilities in our environment. ? We transitioned to a new vulnerability management tool, Tenable, to reduce the number of false positives and issues with reporting that we had with our original tool. ? We hired an experienced vulnerability lead to take over the planning tracking and monitoring of backlog initiatives. ? As we finish up current initiatives like Win 10 v1909, SMBv1 Workstation, Flash Uninstall and Internet Explorer - we tee up new initiatives. ? We are currently in the planning / scoping phase to remove old versions of Adobe Acrobat, Adobe Products and Mozilla Firefox. ? For operational patching, we are deploying 90% of patches on critical servers within 7 days, but we are only deploying 70% of workstation patches within 3 weeks. Upcoming Vulnerability Management Milestones: ? We have a funded position to hire a full-time workstation vulnerability engineer to ensure workstation patching is at 95% completion after 3 weeks. We have reviewed resumes, selected a slate and plan to have a person join the team in May 2023. ? We have diagnosed the reason we are deploying 90% of patches on critical servers. We patch the operating system consistently, but we are not always patching applications on the servers. The server patching team has begun patching applications. For April 2023 critical server patches, we achieved 100% in 7 days. We will continue to monitor our corrective action. Privileged Access Entitlement Review Status: ? Developed and implemented a process to review privileged credentials city-wide. o The user requesting admin privileges fills out a privilege access agreement (PAA) that documents the privileges required. o The admin?s manager signs the request. o The user signs an acknowledgement of their responsibilities and attaches to form a ticket. o The ticket results in computer-based training being assigned to the admin. o The ticket is forwarded to appropriate team in BCIT ? server or desktop for their review / approval. o When training is verified and BCIT approvals are completed, the user is authorized to continue using existing credentials or assigned the new credentials requested. ? BCIT leveraged this exercise to standardize admin account naming conventions aligned with best practices. We now require separate admin accounts for workstation or server administration. We are disabling / doing away with the legacy one size fits all generic admin accounts (P accounts). Upcoming Milestones: o Complete the review and cleanup of the final wave of agencies ? BCIT, BCHD, BCFD and some stragglers from DPW, DHR and DOF ? May 2023 o Disable all privileged accounts that have not been used within 180 days ? May 2023 o Review any remaining P accounts for disposition ? June 2023 o Seek feedback from agencies on the FY 2023 Privileged Account review process and develop process improvements ? 1st quarter FY 24 o Begin FY 24 Privilege entitlement review process ? 2nd quarter FY 24. Segregation of Duties: The Blue Hill vendor now has a designated full-time Team Lead to oversee the City of Baltimore?s contract. Now that we have a dedicated Blue Hill Team Lead, the VMLIB process and programmer rights will be modified to only allow the Blue Hill Team Lead or the BCIT Mainframe Manager to promote programs to production. Mainframe Restoration: To restore mainframe operations at the secondary data center, BCIT employs Blue Hill, who maintains an alternative backup site in New Jersey (BlueZone) should the main location in Pearl River, New York ever go down. o Every night the data and code are replicated and transmitted to the backup site. o Should a disaster occur, the backup (BlueZone) site will be operational in less than 48 hours. Contact Person: Todd Carter, CIO/CDO Baltimore City Completion Date: June 2024 and continuously reviewing.

Finding 2022-004 Programs: All Material Weakness over Fixed Asset Accounting Repeat Finding: Yes Auditee?s Corrective Action Plan: The City has purchased Workday, an Enterprise Resource Planning (ERP) system, and implemented the software with the assistance of Accenture consultants. Although Workday is ?live? as of August 2022, the City is currently working to implement the business asset module. This module will allow assets to be flagged during the purchase process and the majority of existing assets to be uploaded and depreciated by Workday. Specific improvements are as follows: ? Depreciation will be run monthly rather than at the end of the year, allowing for a more regular review of the fixed assets. ? Workday reports which reconcile the subsidiary fixed asset module to the general ledger will be run monthly and reviewed. ? A new Workday role within each agency, an asset tracking specialist, will be responsible for reviewing the fixed asset listing and working with the Department of Finance ensuring that assets are capitalized properly. ? A Capital Assets policy has been drafted and is expected to be reviewed and approved. ? The City has uploaded assets in to Workday thru fiscal year 2021 and has agreed these to the ACFR publication for fiscal year 2021. The City has also uploaded the fiscal year 2022 assets and is in the process of paralleling the FY 22 results. Additionally, fiscal year 2023 assets purchased thru Workday have been capitalized in Workday using Workday functionality. The City expects to use Workday to calculate the fiscal year 2023 depreciation. Contact Person: Michael Moiseyev, Chief Financial Officer, Baltimore City. Completion Date: December 2023

Finding 2022-003 Programs: All Material Weakness over Water and Wastewater Billing Function Repeat Finding: Yes Auditee?s Corrective Action Plan: The Department of Public Works (DPW) took several steps to assess, evaluate, and improve water and wastewater billing functions, including the following: ? The Office of the Mayor led a review of unbilled properties that have no accounts established within the billing system. A minimal number of properties were found and, upon further investigation, the majority of those properties were improperly coded. ? Baltimore City and Baltimore County undertook a joint review of the entire water and wastewater utility, using a private consultant. This analysis provided a framework for how to improve the utility, including billing. Additionally, Baltimore City and Baltimore County have formed a strong partnership on utility-related issues, meeting every month. Both jurisdictions are tracking the findings of a joint Baltimore City and Baltimore County Office of Inspector General Report on billing-related issues. The City/County team continues to evaluate the issues identified in the OIG report with those identified by the consultant to find areas of overlap. ? There is an initiative to reform the DPW meter shop. This initiative involves a task force made up of DPW and Mayor?s Office staff who immersed themselves full-time in the meter shop. Thus far, vehicle issues, equipment issues, logistical issues, and some training issues have been assessed and resolved, leading to improved morale and more effective operations. ? In late November 2020, DPW optimized water billing cycles and schedules through a software program called Route Smart. City customers are billed monthly. Route Smart realigned the billing cycles so that customers were evenly divided into the 15 groups and were also located in the same geographic area of the City. This allows the meter technicians to stay in one region when addressing meter issues rather than wasting time traveling back and forth throughout the City. Since optimization, DPW averages 99% of bills being issued for each cycle on a regular basis. ? In July 2021, the Customer Support and Services Division (CSSD) implemented an Escalations and Adjustments committee to review all adjustments over $500. Any adjustment over $500 cannot be entered into UMAX without approval from this committee. Adjustments are audited weekly to ensure the integrity of the process. ? All CSSD and Meter Shop supervisors have completed training to write and document standard operating procedures (SOPs). SOPs will be revised for all Billing, Customer Service, and Meter Operations. DPW staff anticipate the SOPs will be completed and finalized by January 31, 2023. ? In July 2022, DPW launched an internal dashboard tracking a wide array of vital operational and performance metrics for CSSD and Meter Shop staff. Management is using the dashboard to benchmark and set KPIs for improving customer response times, work order completions, accurate billing, and revenue collections. ? Reorganization of CSSD and Meter Shop operations to include an Internal Process Improvement team (Quality Assurance) and a Data Team (Quality Control) for monthly billing and customer service response times. ? CSSD and the Meter Shop work collaboratively to ensure reads are entered and meters are fixed or replaced so that we can provide timely and accurate monthly billing ? In addition to the reactive training provided to CSSD staff from August 2021 to March 2022, CSSD has created a monthly training calendar to provide proactive and leadership development sessions since April 2022 to increase knowledge, skills, and abilities. Contact Person: Michael Moiseyev, Chief Financial Officer, Baltimore City Jason W. Mitchell, Director, Department of Publix Works Completion Date: Completed June 2022. Currently in support phase for ongoing improvements.

Finding 2022-002 Programs: All Material Weakness over Financial Reporting Repeat Finding: Yes Auditee?s Corrective Action Plan: The City has purchased Workday, an Enterprise Resource Planning (ERP) system, and implemented the software with the assistance of Accenture consultants. Although Workday went ?live? as of August 2022, the City is currently working to refine the software and fully utilize its functionality. The new system includes improved financial reporting and functionality. Specific improvements available are: ? Allocations which were calculated manually, such as overhead allocations, are being automatically calculated and created in Workday. ? There has been an extensive review of the chart of accounts, including the use of hierarchies, which more closely align the financial and budgetary reporting needs of the City. ? The City will be using ?control? accounts for accounts receivable and accounts payable, which requires the subsidiary systems to reconcile to the general ledger. ? The City will be using multi-book accounting, which will allow for GAAP entries to be entered into a separate ledger. ? The City is purchasing Workiva, a cloud-based software, which will interface with Workday and update the Annual Comprehensive Financial Report (ACFR) document. It will provide an audit trail for changes to the ACFR document. This implementation is slated to begin in June 2023, but full implementation may not occur until fiscal year 2024. Contact Person: Michael Moiseyev, Chief Financial Officer, Baltimore City Completion Date: December 2024

Finding 2022-024 U.S. Department of Health and Human Services AL No. 93.977 Sexually Transmitted Diseases (STD) Prevention and Control Grants Significant Deficiency and Noncompliance over Period of Performance Repeat Finding: No Condition: For 4 of 40 expenditure transactions selected for testing, the transactions were incurred outside of the period of the performance for the grant. Criteria: In accordance with 2 CFR ?200.303: The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. According to 2 CFR section 200.309, a non-Federal entity may charge to the Federal award only allowable costs incurred during the period of performance and any costs incurred before the Federal awarding agency or pass-through entity made the Federal award that were authorized by the Federal awarding agency or pass-through entity. Cause: There was a timing delay at the end of the fiscal year between the agency billing the grant and when the actual expenditure was recorded in the GL system to create the SEFA. Effect: The City was not in compliance with the period of performance requirements. Questioned Costs: $276,183. Recommendation: We recommend the City establish and implement internal controls that provide reasonable assurance that grant expenditures recorded in the general ledgers are recorded in the proper grant period. Auditee Response and Corrective Action Plan: Management agrees with the finding. Refer to the corrective action plan on current findings in Part V of this report. Auditor?s Conclusion: Finding remains as stated.

2022-003 Housing Voucher Cluster ? Assistance Listing No. 14.871 Recommendation: The Authority should review their HQS inspection policies to ensure that all inspections are performed timely and that all necessary documentation is maintained for each inspection. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: The Northwest Oregon Housing Authority has reviewed its inspection policies regarding timely inspections and maintenance of inspection documents. NOHA attempted to conduct inspections on all units following the lifting of COVID restrictions. NOHA is continuing to clean up software data to ensure proper documentation of inspections. Name(s) of the contact person(s) responsible for corrective action: Sandra Soucie, HCV Manager, HCVManager@nwoha.org Planned completion date for corrective action plan: 3/31/2023

Finding 2022-022 U.S. Department of Health and Human Services AL No. 93.940 HIV Prevention Activities Health Department Based Material Weakness over Period of Performance Repeat Finding: Yes Auditee?s Corrective Action Plan: BCHD will implement controls to allow only costs within the period of performance to be charged to a grant. BCHD will ensure that if there are any exceptions that allow for costs to be charged outside the period of performance, the proper supporting documents will be kept. Baltimore City's new financial system, Workday, allows for all supporting documentation to be kept electronically in one system. Policies and procedures for internal controls will be updated to incorporate processes in Workday and the accounting staff will be trained appropriately. Contact Person: Chief Financial Officer ? Unyime Ekpa Completion Date: December 2023

2021-001 Reporting and Written Policies and Procedures Corrective action planned: Middle Park Health (MPH) management agrees that quarterly financial reporting to USDA as required did not occur in 2022. Turnover in finance leadership during 2022 contributed to this oversight among other factors. At no point did MPH receive communication from USDA surrounding lack of compliance with this requirement. Upon discovering this weakness, MPH promptly implemented corrective action. Reminders have been set following the approval of each quarter?s financial statements by the Board of Directors to submit quarterly financial reports to USDA contacts. The first set of quarterly financials for 2023 were submitted to the USDA on April 28, 2023 and USDA confirmed receipt of these documents as well as confirming that the distribution list used by MPH for this submission was appropriate. MPH does not anticipate further noncompliance with this requirement. MPH will also develop written policies and procedures for the required reporting. Anticipated completion date: April 27, 2023 Contact person responsible for corrective action: Emily Ebert, CFO & Mikealena Horner, Accountant

Finding Number: 2022-003 Condition: During the audit of federal expenditures, it was noted that the Charter Township incorrectly reported project expenditure categories to Treasury. Planned Corrective Action: The Township will put procedures into place to ensure appropriate layers of review are performed when reporting expenditures. Contact person responsible for corrective action: Finance Director Anticipated Completion Date: 3/31/2023

Finding 2022-030 Food Distribution Cluster, ALN 10.565, 10.568, and 10.569 - Accountability for USDA Foods Management Views MDE agrees with the finding. During fiscal year 2022, MDE determined that The Emergency Food Assistance Program (TEFAP) State Plan was inefficient and discontinued reviewing eligible recipient agencies (ERA) as outlined in the plan. MDE modified its TEFAP State Plan for fiscal year 2023 to be more reflective of TEFAP inventory movement and still meet the requirements of federal regulation 7 CFR 251.10(e). Planned Corrective Action MDE revised the fiscal year 2023 Michigan TEFAP State Plan, effective October 2022, to require MDE to review ERAs that are considered ?subdistributing agencies? onsite annually and all TEFAP ERAs to submit inventory records and TEFAP foods documentation to MDE as requested twice a year. The change was announced to TEFAP ERAs during the annual All Agency Meetings at the end of August 2022 and through follow up emails and communications. Anticipated Completion Date MDE has already completed the majority of fiscal year 2023 desk and on-site reviews under the revised process and will have completed all of the required fiscal year 2023 inventory reviews by July 31, 2023. Responsible Individual(s) Aimee Alaniz, MDE

Finding 2022-028 SNAP Cluster, ALN 10.551 and 10.561 - EBT Reconciliations Management Views MDHHS agrees with the finding. Planned Corrective Action MDHHS has been working with the vendor and DTMB data warehouse technical staff to update and correct the Benefit Issuer Food Stamp Report (BT-90) so that it includes recipients who received Supplemental Nutrition Assistance Program (SNAP) benefits under the expanded COVID-19 eligibility requirements. The BT-90 is used to help ensure the client information in Bridges is accurate and does not have an impact on the federal draw. Anticipated Completion Date December 31, 2023 Responsible Individual(s) Sara Gross, MDHHS

Finding 2022-006 Income Eligibility and Verification System Management Views MDHHS and DTMB agree with parts c., d., e., and g. of the finding. MDHHS and DTMB disagree with parts a., b., and f. of the finding. For parts a. and b., MDHHS agrees with the recommendations. However, MDHHS disagrees with the exceptions identified for 1 of the 6 cited interfaces. For one interface, that impacted three cases, the interface updated appropriately, as designed, where needed. The interface did not need to update the case for citizenship and worker action was not required because citizenship was verified appropriately using another method and citizenship was not in question. For part f., MDHHS disagrees that Income Eligibility Verification System (IEVS) information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous. Planned Corrective Action For parts a., b., and c., MDHHS?s ESA will continue to provide training and policy support to ensure that the local office specialists appropriately utilize the IEVS interface information in determining recipients? eligibility when applicable. ESA is developing and prioritizing a technical solution that will ensure the IEVS information is being addressed timely and used correctly in eligibility determinations. For part d., MDHHS is collaborating with other work areas to facilitate the match process for the IEVS interfaces for recipients funded by Temporary Assistance for Needy Families adoption subsidies. For part e., DTMB will review the process of how it receives the Public Assistance Reporting Information System (PARIS) file from their partners and transmits it to MDHHS Bridges. DTMB will investigate potential process improvements to limit the likelihood of the PARIS file not being transmitted. For part f., MDHHS disagrees with the finding and does not intend to take further action. For part g., MDHHS, with U.S. Department of Agriculture (USDA) Food and Nutrition Service guidance, will explore opportunities with Treasury, Tribal partners, and independent casinos to determine the feasibility of a gaming data match. Anticipated Completion Date a., b., and c. Training and policy support is ongoing. MDHHS anticipates that the technical solution will be completed by December 31, 2023. d. September 30, 2024 e. DTMB anticipates the process improvements will be implemented by September 30, 2023. f. Not applicable g. September 30 2024 Responsible Individual(s) a., b., c., and g. Dawn Sweeney, MDHHS d. Kathonya Rice, MDHHS e. Nathan Buckwalter, DTMB f. Logan Dreasky, MDHHS

Finding 2022-004 Bridges Security Management and Access Controls Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer?s recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and SOM standard security safeguards. Planned Corrective Action For parts a., d., and e., MDHHS will implement the Database Security Application (DSA) Bridges form which establishes a method to document user access request approval electronically and includes a semi-annual review of privileged users and an annual review of all users that is required to prevent automatic removal of access. For part b., MDHHS will prioritize updates to Bridges that will require the local office security coordinator (LOSC) to document security monitoring reports within Bridges alerts and generate a reminder to the LOSC and their manager to reconcile the report. Before the alert can be closed, the LOSC will be required to enter comments for actions taken and approve the report. For part c., DTMB developed an organization-wide framework for database security configuration management. For part f., MDHHS?s Economic Stability Administration (ESA) issued a revised memo on October 3, 2022, to Business Service Centers (BSCs) and local offices to reiterate the need for reviewing, documenting, and completing the required high-risk transaction reports timely. For part g., during February 2022, MDHHS?s Bridges Resource Center (BRC) revised their reconciliation process of high-risk transactions to comply with the changed policy requirements and ensure separate reviews are performed for each type of high-risk transaction. MDHHS?s ESA issued a revised memo on July 11, 2022, to address changes made for non-BRC Central Office staff transactions to reiterate the need for reviewing, documenting, and completing the required high-risk transactions timely. Also, an email reminder is sent out two days prior to the high-risk transaction report due date to help ensure timeliness of the reviews. Anticipated Completion Date a, d., and e. MDHHS anticipates the first phase of the DSA Bridges form will be implemented by October 2023 as a pilot and then roll out statewide with full automation by September 2024. Semi-annual and annual reviews will begin 6 months and 12 months, respectively, from the time each DSA Bridges form is implemented for each respective user. b. August 2024 c. DTMB anticipates having compliance documentation by September 30, 2023. f. Completed with ongoing monitoring. g. Completed Responsible Individual(s) a., b., d., and e. Deon Nelson, MDHHS c. Nathan Buckwalter, DTMB f. MDHHS ESA and BSC Directors g. Todd Gore and Russell Gruber, MDHHS

Finding ref number: 2022-001 Finding caption: The District did not have adequate internal controls for ensuring compliance with wage rate requirements. Name, address, and telephone of District contact person: Jeri Carlson 33330 8th Ave S Federal Way, WA 98003 253.945.2045 During the course of the audit, the District immediately took steps to obtain and review all certified payroll documents from the beginning of the project to current and verified that the contractor was compliant with federal prevailing wage rules. This information was provided to the Auditors. The District has already taken steps to ensure the additional compliance steps are followed for federally funded construction projects. The District will also ensure staff are appropriately trained on these requirements.

DHS will complete training and review with field staff on the required documentation for RIW. This will include training with CSDL, office hours with eligibility field staff, attending supervisors meeting to verify documentation during case reviews, and utilizing new reports from MMIS. MMIS team are developing a report for verification to be provided to RIW vendors to ensure accurate documentation is sent to DHS and is retained accurately. Anticipated Completion Date: June 30, 2024 Contact Person: Kimberly Rauch, RI Works / TANF Administrator Department of Human Services kimberly.rauch@dhs.ri.gov

Finding Number: 2022-001 Condition: The System does not have a formal review process to ensure the revenue reported within the PRF reporting submissions properly reconciles to the underlying financial statements. The System selected Option i for reporting lost revenues, however the actual revenue reported for each quarter of 2022 did not reconcile to the underlying accounting records. Planned Corrective Action: Management will implement a process to ensure an independent review of the reporting submission is completed prior to submission. The lost revenue reported in the period four portal submission was overstated by approximately $360,000 as a result of the error identified. The System had excess lost revenue that did not have to be utilized to justify recognition of the funding received, therefore this error had no impact on meeting the conditions of the funding received. Contact person responsible for corrective action: Kevin Riley, CFO Anticipated Completion Date: 9/30/2023

United States Department of Health and Human Services 2022-004 Medical Assistance ? Assistance Listing No. 93.778 Recommendation: The County should implement a review process over medical assistance case files. A sample of cases should be reviewed by someone knowledgeable of the program requirements on a periodic basis and documented. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: Management will add a case file documentation process for the casefiles being reviewed. Name(s) of the contact person(s) responsible for corrective action: Heather Olson Auditor/Treasurer Planned completion date for corrective action plan: December 31, 2023

Steilacoom Historical School District No. 1 September 1, 2021 through August 31, 2022 This schedule presents the corrective action planned by the District for findings reported in this report in accordance with Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Finding ref number: 2022-001 Finding caption: The District did not have adequate internal controls for ensuring compliance with federal wage rate requirements. Name, address, and telephone of District contact person: Shawn Lewis, Assistant Superintendent 511 Chambers Street Steilacoom, WA 98388 253-983-2233 Corrective action the auditee plans to take in response to the finding: (If the auditee does not concur with the finding, the auditee must list the reasons for non-concurrence). The district concurs that it lacked appropriate internal controls to ensure compliance with the federal wage rate requirements. It is highly unusual for a school district to receive federal funds for construction activities and the required contract provisions are not included in the district?s standard contracting templates. The State Auditor's Office reported that the former CFO indicated that she and staff were unaware of federal wage rate requirements. The district agrees that the former CFO should have been aware of these requirements and was responsible to ensure compliance with the requirements. Page 61 Office of the Washington State Auditor sao.wa.gov The district does not expect to receive any federal funds to support construction activities in the near future and therefore finds it highly unlikely that this condition will be repeated. However, the district will take the following steps as corrective action: 1. Update formal procedures to specifically require staff to consider Davis Bacon and other federal requirements when public works are funded with federal funds. 2. Ensure current staff responsible for public works project compliance understand the federal requirements when federal funds are used for such projects. The district believes that these corrective action steps in addition to a change in personnel responsible for overall federal compliance will provide reasonable assurance of future compliance. Anticipated date to complete the corrective action: 9/01/2023

UNITED STATES DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT Lincoln School Senior Apartments respectfully submits the following corrective action plan for the year ended March 31, 2022. Name and Address of Independent Public Accounting Firm: Squires Maddux & Company, PLLC 100 Second Avenue South, Ste 270 Edmonds, Washington 98020 Audit Period: March 31, 2022 Prepared by: Name: Steve Armatage Position: Controller Telephone Number: (206) 441-8866 Extension 105 Email Address: sarmatage@panpacificproperties.com The findings from the March 31, 2022 schedule of findings and questioned costs are discussed below. The findings are numbered consistently with the numbers assigned in the schedule. Section A of the schedule, Summary of Audit Results, does not include findings and is not addressed. FINDINGS ? FINANCIAL STATEMENTS AUDIT NONE. FINDINGS ? FEDERAL AWARDS PROGRAMS AUDITS DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT FINDING 2022-001: Section 202, CFDA 14-157 Supportive Housing for the Elderly S3800-030 Statement of Condition ? All of the deposits were made at year end, but due to availability of funds, three of the twelve deposits were made late. FINDINGS ? FEDERAL AWARDS PROGRAMS AUDITS (Continued) DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT FINDING 2022-001: Section 202, CFDA 14-157 Supportive Housing for the Elderly (Continued) S3800-045 Reporting Views of Responsible Officials - Management applied for and received a significant rent increase from HUD that should help improve liquidity so that sufficient funds are available to make the required reserve deposit when due. Property(s) and associated questioned costs this finding applies to: S3800-037 FHA/Contract Number - 127EE034 S3800-038 Questioned Costs - $0 S3800-080 Recommendation - Management has taken steps to improve liquidity so that sufficient funds should be available for monthly deposits. Management should ensure those deposits are made monthly. S3800-140 Completion Date ? June 20, 2022 S3800-150 Response - Management has taken corrective action and concurs with the auditor?s recommendation. If the Department of Housing and Urban Development has questions regarding this plan, please call Steve Armatage at (206) 441-8866 Extension 105. Sincerely yours, ______________________________________________ Steve Armatage, Pan Pacific Properties Inc. Controller

Finding No. 2022-001 Material Weakness Personnel Responsible For Corrective Action: Jacob Flowers, Senior Accountant Anticipated Completion Date: August 2023 Corrective Action Plan: The Boone County Auditor?s office will create a report containing all the amounts that were previously submitted to US Treasury portal. This report will show when the new projects were added and the amounts that were allotted to each project. The report will also show how much was paid to each project every quarter and the remaining balances for each project at the end of every quarterly submission. The bottom of the report will show the current quarterly submission which will contain all the new projects added, all the expenditures made, and the remaining balances for each project. The report will also show the remaining balance for ARPA funding that has not been assigned to a project. The report will have a signature line for the accountant who prepared this report and who will be responsible for submitting these amounts to the portal. A second signature line will be for the accountant who will review these amounts and approve it for submission. Once it has been approved for submission, this document will be saved for historical review.

2022 ? 002 Emergency Rental Assistance ? Assistance Listing No. 21.023 Condition: The County was not able to provide supporting documentation for their reported amounts. The County failed to retain data records for the point in time that was used to report each submission. As a result, reported key line items could not be supported. Recommendation: We recommend that policies and procedures be implemented to ensure that all financial and special reports are filed timely and accurately and that reports are reviewed and approved by an authorized State official prior to submission to ensure accurate support for the reported amounts. Views of responsible officials and planned corrective actions: The county agrees with the finding will improve the process for reporting under the Emergency Rental Assistance program and retain documentation that supports the information reported. ERAP program management will provide supporting documentation for their reported amounts to the Federal Treasury moving forward. We have implemented corrective action in May 2023 for preparation and submission of the ERA2 2023 Q1 Treasury report. Responsible Official: Ramona Farineau, Chief Financial Officer Planned completion date for corrective action plan: May 31, 2023

Finding 2022-002 Federal Agency Name: United States Department of Health and Human Services Health Resources & Services Administration Program Name: Medicaid Administrative Claiming (MAC) CFDA # 93.778 Finding Summary: We noted that the Center filed the quarterly reports as required; however, upon reviewing the support for the expenditures for the second quarter, it was noted that reported numbers were inaccurate which resulted in incorrect reporting and the receipt of unearned grant funds. Responsible Individuals: Chief Financial Officer Corrective Action Plan: With specific regard to Medicaid Administrative Claiming (MAC) reporting? The Center will review and evaluate staff duties to provide proper segregation of duties. This will ensure that errors or irregularities are prevented or detected on a timely basis in the normal course of business and promptly corrected. The Center will review and evaluate staff training to ensure MAC reporting is performed in accordance with policies and procedures. The Center will review and evaluate MAC reporting review and approval processes to identify and correct errors prior to submitting the MAC reports. Anticipated Completion Date: August 31, 2023